This isn't true. I can make a Security Zone named "Plant" based strictly on IP to restrict access to a subnet of my organization. I can also make a Security Level for my Operators, where I dictate any user from my facility receive that Security Level.
With these two potential requirements in place, ready to use, and applied as requirements, there are two different potentialities - both of which are valid and have realistic use-cases:
- All of: Someone from my facility must be logged in AND must be on a machine which is part of the local subnet.
- Any of: Someone from my facility must be logged in (but they could be located off-site - like a remote worker) OR any machine from the local subnet could have access - even if no user is logged in.
Now, maybe this doesn't suit all needs. Suppose I want to allow all logged in facility workers but I want to require they be on-site, AND I want to allow Management, who might not be on-site. At this point you just need to create a Security Level called something like "On-Site Operator" where that Security Level is a combination of the rules you created for Operator and the Security Zone. Then you can specify the Security Settings for the component as requiring "any of" the "On-Site Operator" or "Management" Security Levels.